Energy: critical flaw in industrial surveillance machinery
Nozomi Networks has identified three vulnerabilities, one critical, with no available patches, in equipment widely used by energy infrastructure.
On September 26, 2023, Nozomi Networks, the OT, IT and IoT visibility specialist, revealed three security flaws in Bently Nevada 3500 industrial monitoring devices. The latter detect and prevent irregularities in rotating machinery, such as turbines, steamrollers, engines and generators.
The Bently Nevada 3500 is widely used in energy infrastructure, such as refineries, petrochemical facilities, hydroelectric plants and wind farms. Nozomi Networks is particularly concerned about one of the vulnerabilities, which the firm deems critical. Indeed, it allows an attacker to bypass the authentication process and gain full access to the device, through a simple malicious request.
Even worse, the machinery runs on old software, which is proving impossible to patch. Nozomi Networks has provided no technical details on these vulnerabilities, so as not to give cybercriminals any ideas. Bently Nevada, a subsidiary of the oil field service giant, Baker Hughes, has however provided its customers with several recommendations to avoid exposing vulnerable machinery. In particular, the manufacturer advises:
- to favor “Config” mode over “Run” mode when doing maintenance;
- to split up the network in order to prevent unauthorized access;
- to use unique and complex passwords.